I "remote wiped" my iPhone

Last month NPR carried a story about a woman, Amanda Stanton, whose iPhone was remotely disabled while she was travelling for work.

She had been talking on it and navigating with a GPS app during a work trip to Los Angeles. Then, without any warning or error message, the phone quit.

Her phone was hooked to her employers Exchange calendar and email system and someone in IT had mistakenly sent a "remote wipe" signal to her iPhone.  Her personal iPhone.  Amanda was shocked to discover that her employer could not only do that to an employee-owned device but she was upset that she had not been warned about what she was agreeing to in exchange for the convenience of checking her email and calendar.

Of course, my employer, like many others offers similar connectivity from iPhone, Blackberries and certain Android phones.  However, we make a point to inform the user up-front, via a waiver, that the offer comes with a caveat.  My employer warns users choosing to connect their personal devices in this way that we can and will remote-wipe their phone under certain conditions — theft, loss or termination.  This is done to protect company information.

But one sentence in the NPR article had me concerned.

Everything was gone — all her contacts, photos and even the phone's ability to make calls.

I didn't mind the idea of my contacts, photos etc being erased.  I back up my iPhone and iPad at least twice a day via iTunes.  If my iPhone was wiped I could easily restore my personal data from backup.  It was the thought that I would not be able to make calls that bothered me.  My wife and I cut the landline cord several years ago.  Our cellular phones are the only phones we have.  Accidental or intentional wiping of my iPhone would leave me without any means of communication.

As a person with Type 1 diabetes, I use insulin to manage my diabetes.  One of the side effects of insulin is hypoglycemia — low blood glucose.

Hypoglycemia is a condition that occurs when your blood sugar (glucose) is too low. Symptoms: Cold sweats; Confusion; Convulsions; Coma; Double vision or blurry vision

Because of the risk of hypoglycemia, my wife and I worked out a safety protocol. Before I drive, I test to get a measure of my current blood glucose. If it's low I take a small snack. When travelling, I call my wife when I leave or arrive at my destination. If I forget to call her or she doesn't hear from me, she calls me. Imagine how both of us would feel if we can't communicate?

I discussed this with my management and some of the other security analyst at the office.  I argued that remote-wipe resets iPhone back to factory defaults and that when I received my iPhone from Apple it could not make any calls until I activated it via iTunes.  However, they were all convinced that a remote wipe would not affect the iPhone's ability to make calls.  Of course, none of them would volunteer their phones for a test.  I called Apple support and spoke to a tech who told me that my colleagues were indeed correct. But I was not convinced.

I have a day off today.  I decided to put the question to bed.  I backed up my iPhone, logged into my employer's email portal and sent a remote-wipe request to my iPhone.  Three minutes later my iPhone suddenly rebooted — there was no indication that the wipe was occurring — and I was presented with a screen instructing me to connect my iPhone to iTunes.

Before connecting to iTunes, I swiped the "Slide to Unlock" and was presented with a dialer — for emergency calls. My iPhone in this state could make emergency calls only. The iPhone was not able to dial any numbers except for 911. I was not able to make any person to person calls or use any applications on the phone until I synced with iTunes. The iPhone also had a "No Service" message in the signal bars area.  My iPhone was now indeed reset to factory default rendering the iPhone completely useless (except for 911 calls).

Once the iPhone was restored from backup via iTunes — about 15 minutes during which the iPhone displayed a message “iPhone is activated” — and rebooted, I was once again able to make calls.  I had to sync on more time to re-install my 121 apps and re-initialize other iTunes specific settings (like folders and icon arrangements). That took another 15 minutes.

Shortly after doing this test, I removed my iPhone from my employer's servers.  In balancing my employer's risk against my own I've decided the convenience to them isn't worth the risk to me.  However, I have decided to leave my iPad connected to the email and calendar servers.  I don't make calls from that device.

Author: Khürt Williams

A human who works in information security and enjoys photography, Formula 1 and craft ale. #nobridge